What about it?

This site was designed to provide helpful information to various malware analysts. If you would like to start website analyzing, or this is your first time here, please check out these excellent tutorials. Thanks, and good hunting!

I immediately set out to compare file sizes and detection number on VirusTotal. What I found out was rather shocking. Check out the results of 2 different variants, both shellcode exploits [Note: names are randomly generated, but the size of the files are so similar as to assume they are different variants]:

A unique trick to searching Exploit Kits on Google is to use the following query: “* exploit kit.zip”.

This searches for all websites with the content of (any characters) exploit kit.zip, not case sensitive. This search provides the best results. For a more specific, yet less knowledgeable result, replace the star (*) with the name of the exploit kit you wish to download. For example: “Crimeware exploit kit.zip”.

As you can see, no obfuscation. They aren’t trying to hide anything. Maybe they are trying to reduce general AV detection. And the script looks simple enough, with a redirect to this podarunoki(dot)ru site…

LFI allows you to include files through a web server; however, specific injections of parameters in the URL string can lead to other files being called, if not used properly. A basic LFI file looks like the following:

A legit referral would look like this: example.com/index.php?file=services.php. It searches the current directory and does not induce upper directory levels. This is the safe approach and should be a standard that you use.

There is also the malcreant approach: example.com/index.php?file=../../../etc/passwd. What this does is show all the passwords (in hash form) that are found on a nix-running system. The malcreant would then be able to crack these passwords and get file access.

However, PHP includes an amazing function called str_replace(), which takes three arguments: The value to replace, what to replace it with, and what string we’re dealing with. Naturally, we can remove all the ‘up directory’ symbols as follows: